Helpdesk and IT support staff should find this scenario familiar: a user with a desktop, a laptop, a netbook, a smartphone, and a computer or two at home wants a way to keep their files synchronized across all of them at all times. The rise of cloud services and the bring-your-own-device phenomenon have only reinforced the need to have access to everything from anywhere at all times.

Offering networked storage, VPNs, and collaborative tools like SharePoint can help to alleviate the problem, but these services often lack the automation, reliability, and simplicity that end-users demand. Many cloud services exist to fill this gap, but in so doing expose sensitive data to what many would consider an unacceptable risk. SpiderOak is an attempt to solve those problems by combining the security associated with internal filesharing options with the power of cloud-based file-syncing products.

For most individuals, cloud-syncing software is a great answer to the synchronization problem. The cloud sync field is fiercely competitive, and there are products for just about every usage model. Each of these products has its strong points: Dropbox's user-friendliness, SugarSync's wide support for multiple platforms and its increased customization options, and Box's many enterprise-targeted features. And there are less-directly-comparable cloud products like Apple's iCloud, which integrates tightly with iOS and OS X but requires that developers leverage its APIs; and Microsoft SkyDrive, which is closely tied to Microsoft's Office apps and will likely be the de facto standard cloud storage service in the forthcoming Windows 8.

Despite their differences, these products have one thing in common: employees of the companies that provide them can still access your data.

According to their respective privacy policies, the operators of these services normally only access files in response to a request from law enforcement or something similar. But that capability also leaves this data more susceptible to breaches or other illicit behavior. In an environment where users may upload sensitive information about the business and its clients, storing that information with a third party raises definite security and privacy concerns. System administrators often need to be able to demonstrate to higher-ups (and lawyers) that a data breach or accident on the part of a third party will not expose any sensitive or proprietary data.

SpiderOak tries to address data privacy concerns head-on. The service has a strong privacy policy, and it backs it up with client-side encryption. But does the beefed-up security model that will let IT managers sleep at night come at the expense of user-friendliness?

All four of the products I looked at provide client support for the major desktop and mobile platforms—Windows, OS X, iOS, and Android—and provide Web portals for access to your files for those platforms that don't have their own client. Dropbox and SpiderOak also have Linux clients, and SugarSync is the only product of the four that filled the shrinking Windows Mobile and Symbian niches.

While SugarSync and Box both offer more storage for free, SpiderOak has an advantage in both capacity and price once you start spending money—you can get 100GB from SpiderOak for the price of 50GB from Dropbox and Box or 60GB from SugarSync. And while the other services have maximum capacity limits, SpiderOak will keep doling out storage in 100GB chunks for as long as you’re willing to pay. SpiderOak also offers half-off educational discounts for any user with a valid .edu email address.

All of the services but Box also offer referral programs for their free products: Dropbox gives users 500MB per referral up to a cap of 16GB, while SpiderOak gives out 1GB per referral up to a cap of 10GB. SpiderOak’s refer-a-friend program had a much more generous cap of 50GB until just last month, when abuses of the program led to its downsizing. SugarSync offers 500MB per referral up to a cap of 32GB when your friends open a free 5GB account, and 10GB per referral with no cap when your friends open a paid account.

On paper, SpiderOak stacks up well against the competition. To test its features and ease of use, I’ll primarily be comparing it against Dropbox, which is really today’s standard in terms of market share and ease of use.

Security features

The chief difference between SpiderOak and its competitors for the security and privacy-conscious is in how the services treat user data. Last year, for example, some poorly worded changes to the Dropbox Terms of Service appeared to give the company rights to its users’ intellectual property. While the offending terms were quickly changed, they drew attention to the fact that Dropbox employees can still get file-level access to your data when they deem it necessary (for example, when complying with a request from law enforcement or a DMCA takedown request).

SpiderOak, on the other hand, tells users up front that it never knows a user’s password or encryption keys, preventing anyone at the company from accessing your data for any reason. Both Dropbox and SpiderOak encrypt user data on their servers using 256-bit AES encryption, but SpiderOak takes the extra step of encrypting the decryption key itself. This key can itself only be decrypted with the user’s password, which SpiderOak never knows (the full authentication process is laid out here).

The downside of this scheme is that your data is unrecoverable if you forget your password. But the upside is that you’re absolutely guaranteed security and privacy, a must for individuals and businesses that deal with sensitive data—such as Social Security numbers, financial data, and pretty much anything that schools keep on file about their students. Dropbox offers no such capability, and while some users have used extra software like TrueCrypt to add an extra layer of security to files uploaded to Dropbox, the company doesn’t officially support this solution—since, obviously, using TrueCrypt would also prevent easy file sharing and the use of the Dropbox Web client.

SpiderOak also offers two-factor authentication to paying SpiderOak customers in North America. For the uninitiated, two-factor authentication is a security principle that requires two pieces of information from you before allowing access to a service or resource. You may be familiar with this if you use banking or other financial sites, which often require a PIN or the answer to a secret question in addition to your username and password. In SpiderOak’s case, enabling two-factor authentication will require a code sent to you via SMS as well as your account password every time you log in.

Andrew Cunningham
Andrew has a B.A. in Classics from Kenyon College and has over five years of experience in IT. His work has appeared on Charge Shot!!! and AnandTech, and he records a weekly book podcast called Overdue. Twitter@AndrewWrites